graphiti icon indicating copy to clipboard operation
graphiti copied to clipboard
verified publisher icon getzep

`graphiti-core` may be importing a package unintentionally

Open t41372 opened this issue 8 months ago • 1 comments

Hey

I noticed that graphiti-core may be importing a package unintentionally.

While working on a pull request to migrate graphiti-core from Poetry to uv, I ran into a circular import issue between graphiti-core and graph-service (the one in the server directory). I dug into it and found something odd.

In graphiti-core's pyproject.toml, there's a dependency listed as graph-service. However, it doesn’t seem to be referenced anywhere in the codebase, and it's causing circular import issues because of the naming conflict with the local graph-service in the server folder.

Digging deeper, the dependency in pyproject.toml appears to reference a completely different graph-service from PyPI (this one)—not the local one. The version specifier and lack of a local path confirm this.

Here’s the relevant section from pyproject.toml:

packages = [{ include = "graphiti_core", from = "." }]
dependencies = [
    "pydantic>=2.8.2",
    "neo4j>=5.23.0",
    "diskcache>=5.6.3",
    "openai>=1.53.0",
    "tenacity>=9.0.0",
    "numpy>=1.0.0",
    "python-dotenv>=1.0.1",
    "graph-service (>=1.0.0.7,<2.0.0.0)",
]

And here’s the pyproject.toml for the local graph-service:

[tool.poetry]
name = "graph-service"
version = "0.1.0"
description = "Zep Graph service implementing Graphiti package"
authors = ["Paul Paliychuk <[email protected]>"]
readme = "README.md"
packages = [{ include = "graph_service" }]

The version number doesn't match.

The PyPI package is concerning because there’s no clear information or source code available for it. Was it intentional to import this package? I haven’t fully investigated its use yet, but unexpected dependencies like this can pose serious security risks.

Also, is there a reason we're importing graph-service in graphiti-core at all? I couldn’t find any references to it in the graphiti-core code. If there are no special considerations, I suggest removing it to prevent circular imports. Poetry might have masked the issue because of how it resolves dependencies, but it breaks under uv—this is how I spotted it.

Let me know your thoughts.

t41372 avatar May 04 '25 10:05 t41372

Yes, that dependency got added automatically when I rebuilt poetry at one point and I didn't catch it.

Thanks for catching this and I will remove it.

prasmussen15 avatar May 04 '25 14:05 prasmussen15

this has now been fixed. Thank you again.

prasmussen15 avatar May 04 '25 14:05 prasmussen15